SOLUTION: Http to https Owa redirection via ISA 2006 is not working with error FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED

Problem:

Http to https Owa redirection via ISA 2006  is not working with error  FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED

Symptoms:

You configured http to https redirection for OWA (that is user connects to http://mail.contoso.com will be redirected to https://mail.contoso.com/owa). But OWA page is not displayed and no error in browser, it just waits. If you start logging in ISA 2006 Server monitoring, you see the error in the log about the connection from the client IP:

FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED

0xC0040037      A connection was rejected because the maximum connections rate for a single client host was exceeded.

Cause:

/* is entered in Path tab in http to https redirection rule. You defined a rule with following:

If user connects to http://mail.contoso.com rules denies the connection and redirect http request to web page https://mail.contoso.com/owa. And  OWA publishing allow rule below the redirection rule applies to public name https://mail.contoso.com/owa and owa page is displayed.

Isa2

isa1

Isa3

So that you hope that user  does not need to write https at beginning of address and /owa at the end. But since /* was entered and on path tab in Internal Path field, the  redirected request to https://mail.contoso.com/owa, will be redirected again to https://mail.contoso.com/owa and loop occurs. Because of * character, redirection rule applies again an again.

As a result ISA drops the connections because those connections turn to an attack and maximum connections rate for a single client host is exceeded.

And off course you should have OWA Publishing rule for https://mail.contoso.com/owa which applies when  the connection is redirected to https://mail.contoso.com/owa. Owa Publishing rule configuration is out of scope of this blog.

Resolution:

Use / not  /* in http to https redirection rule. Connection to http://mail.contoso.com hits the redirection rule first and redirected connection to https://mail.contoso.com/owa  hits to Owa publishing rule that should be placed under redirection rule.

Isa4

More Information:

In order for http to https redirection rule work in this method, port 80 must be open from internet to ISA Server. First connection request to http://mail.contoso.com should hit the redirection rule via 80 then the connection will be redirected to https://mail.contoso.com/owa and hit owa publishing rule for  public name

To understand the messages in ISA log see:

ISA Server 2006 Logging Fields and Values

http://technet.microsoft.com/en-us/library/bb838824.aspx

Advertisements
Gallery | This entry was posted in Exchange Server, ISA Server and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s